What audit-grade actually looks like.
A universal opener on recipient-verifiability, framework guides for the active focus (CMMC + PCI), and closers on the readiness rubric and the missing middle of the compliance market. Each reads independently — read in order for the full thesis.
- #1Cross-framework· 10 min read
Why your compliance vendor’s PDF is not assessment evidence
A buyer’s guide to recipient-verifiable compliance deliverables
What assessors actually need on audit day, why most compliance platforms can’t ship it, and the 5 properties that distinguish an assessment-grade deliverable from a vendor claim.
- #2CMMC · Fortress· 9 min read
32 CFR Part 170: why your CMMC RP and your C3PAO cannot be the same firm
A CMMC vendor-selection guide for Defense Industrial Base contractors
What the regulation requires, why the separation between prep-side and assessment-side vendors exists, and how to structure your CMMC vendor stack to survive scrutiny.
- #4PCI DSS · Vault· 9 min read
Two-party attestation: how the PCI AoC handoff should work
A PCI DSS v4.0.1 guide for merchants and service providers
Why the single-signature AoC has structural weakness, what two-party attestation means in practice, and how to ship the document to your QSA and your acquirer as two independently verifiable artifacts.
- #6Cross-cutting· 7 min read
A / B / C readiness: what an auditor-comprehensible tier rubric actually looks like
A buyer’s guide to compliance scoring
Why the 0–100 dashboards every SaaS compliance vendor ships fail at the executive table, and what a working readiness rubric looks like when you need to make real decisions about audit-day exposure.
- #7Cross-cutting· 11 min read
From DIY SaaS to firm engagement: the missing middle of compliance
A buyer’s decision framework for compliance vendor selection
Why the two markets every compliance buyer evaluates — SaaS automation and big-firm engagements — both fail specific buyer segments, what the missing middle actually requires, and how to evaluate vendors who claim to fill it.
- #8Cross-cutting· 10 min read
Trust Without Asking: the security architecture of the Key 102 portal
A technical briefing for buyers, auditors, and security teams
Five architectural choices Key 102 made to remove the "trust us" gap: no regulated data at rest, RLS enforced in the database, no-impersonation in code, hash-chained TSA-anchored audit log, and our own posture publicly verifiable.
Ready for the diagnostic?
The Mission Brief is a 90-minute engagement with Tammie and a practitioner. You walk out with your initial readiness tier and the regulator-ready artifact for your framework.
